{"id":"PYSEC-2021-432","details":"Nanopb is a small code-size Protocol Buffers implementation in ansi C. In Nanopb before versions 0.3.9.8 and 0.4.5, decoding a specifically formed message can cause invalid `free()` or `realloc()` calls if the message type contains an `oneof` field, and the `oneof` directly contains both a pointer field and a non-pointer field. If the message data first contains the non-pointer field and then the pointer field, the data of the non-pointer field is incorrectly treated as if it was a pointer value. Such message data rarely occurs in normal messages, but it is a concern when untrusted data is parsed. This has been fixed in versions 0.3.9.8 and 0.4.5. See referenced GitHub Security Advisory for more information including workarounds.","aliases":["CVE-2021-21401","GHSA-7mv5-5mxh-qg88"],"modified":"2023-11-08T04:04:44.596402Z","published":"2021-03-23T18:15:00Z","references":[{"type":"ADVISORY","url":"https://github.com/nanopb/nanopb/security/advisories/GHSA-7mv5-5mxh-qg88"},{"type":"FIX","url":"https://github.com/nanopb/nanopb/commit/e2f0ccf939d9f82931d085acb6df8e9a182a4261"},{"type":"REPORT","url":"https://github.com/nanopb/nanopb/issues/647"},{"type":"WEB","url":"https://github.com/nanopb/nanopb/blob/c9124132a604047d0ef97a09c0e99cd9bed2c818/CHANGELOG.txt#L1"}],"affected":[{"package":{"name":"nanopb","ecosystem":"PyPI","purl":"pkg:pypi/nanopb"},"ranges":[{"type":"GIT","repo":"https://github.com/nanopb/nanopb","events":[{"introduced":"0"},{"fixed":"e2f0ccf939d9f82931d085acb6df8e9a182a4261"}]},{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"0.3.9.8"},{"introduced":"0.4.0"},{"fixed":"0.4.5"}]}],"versions":["0.3.9.4.post3","0.3.9.5","0.3.9.6","0.3.9.7","0.4.0","0.4.1","0.4.1.dev1003","0.4.1.dev1007","0.4.1.dev1012","0.4.1.dev1013","0.4.1.dev1017","0.4.1.dev1036","0.4.1.dev959","0.4.1.dev961","0.4.1.dev962","0.4.1.dev964","0.4.1.dev971","0.4.1.dev978","0.4.1.dev980","0.4.1.dev985","0.4.1.dev987","0.4.1.dev988","0.4.1.dev996","0.4.1.dev997","0.4.2","0.4.2.dev1041","0.4.2.dev1043","0.4.2.dev1044","0.4.2.dev1045","0.4.2.dev1048","0.4.2.dev1050","0.4.2.dev1053","0.4.2.dev1054","0.4.2.dev1055","0.4.2.dev1058","0.4.2.dev1059","0.4.2.dev1063","0.4.2.dev1066","0.4.2.dev1070","0.4.2.dev1071","0.4.2.dev1072","0.4.2.dev1076","0.4.2.dev1088","0.4.2.dev1091","0.4.3","0.4.3.dev1128","0.4.3.dev1131","0.4.3.dev1132","0.4.3.dev1133","0.4.3.dev1137","0.4.3.dev1150","0.4.3.dev1164","0.4.3.dev1172","0.4.3.dev1175","0.4.3.dev1177","0.4.4","0.4.4.dev1181","0.4.4.dev1182","0.4.4.dev1184","0.4.4.dev1185","0.4.4.dev1188","0.4.4.dev1192","0.4.4.dev1193","0.4.5.dev1212","0.4.5.dev1214","0.4.5.dev1215","0.4.5.dev1217","0.4.5.dev1220","0.4.5.dev1224","0.4.5.dev1233","0.4.5.dev1234"],"database_specific":{"source":"https://github.com/pypa/advisory-database/blob/main/vulns/nanopb/PYSEC-2021-432.yaml"}}],"schema_version":"1.7.3"}